| Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | Upstream-Status: Backport |
| 2 | CVE: CVE-2017-8872 |
| 3 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 4 | |
| 5 | From 123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 Mon Sep 17 00:00:00 2001 |
| 6 | From: Nick Wellnhofer <wellnhofer@aevum.de> |
| 7 | Date: Tue, 11 Sep 2018 14:52:07 +0200 |
| 8 | Subject: [PATCH] Free input buffer in xmlHaltParser |
| 9 | |
| 10 | This avoids miscalculation of available bytes. |
| 11 | |
| 12 | Thanks to Yunho Kim for the report. |
| 13 | |
| 14 | Closes: #26 |
| 15 | --- |
| 16 | parser.c | 5 +++++ |
| 17 | result/errors/759573.xml.err | 17 +++++++---------- |
| 18 | 2 files changed, 12 insertions(+), 10 deletions(-) |
| 19 | |
| 20 | diff --git a/parser.c b/parser.c |
| 21 | index ca9fde2c..5813a664 100644 |
| 22 | --- a/parser.c |
| 23 | +++ b/parser.c |
| 24 | @@ -12462,7 +12462,12 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) { |
| 25 | ctxt->input->free((xmlChar *) ctxt->input->base); |
| 26 | ctxt->input->free = NULL; |
| 27 | } |
| 28 | + if (ctxt->input->buf != NULL) { |
| 29 | + xmlFreeParserInputBuffer(ctxt->input->buf); |
| 30 | + ctxt->input->buf = NULL; |
| 31 | + } |
| 32 | ctxt->input->cur = BAD_CAST""; |
| 33 | + ctxt->input->length = 0; |
| 34 | ctxt->input->base = ctxt->input->cur; |
| 35 | ctxt->input->end = ctxt->input->cur; |
| 36 | } |
| 37 | diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err |
| 38 | index 554039f6..38ef5c40 100644 |
| 39 | --- a/result/errors/759573.xml.err |
| 40 | +++ b/result/errors/759573.xml.err |
| 41 | @@ -21,14 +21,11 @@ Entity: line 1: |
| 42 | ^ |
| 43 | ./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration |
| 44 | |
| 45 | -<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 |
| 46 | - ^ |
| 47 | + |
| 48 | +^ |
| 49 | ./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated |
| 50 | -<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 |
| 51 | - ^ |
| 52 | -./test/errors/759573.xml:1: parser error : StartTag: invalid element name |
| 53 | -<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 |
| 54 | - ^ |
| 55 | -./test/errors/759573.xml:1: parser error : Extra content at the end of the document |
| 56 | -<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 |
| 57 | - ^ |
| 58 | + |
| 59 | +^ |
| 60 | +./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found |
| 61 | + |
| 62 | +^ |
| 63 | -- |
| 64 | 2.11.0 |
| 65 | |